Authenticated session management across multiple electronic devices using a virtual session manager

US 10,462,124 B2
Filed: 12/30/2016
Issued: 10/29/2019
Est. Priority Date: 12/30/2016
Status: Active Grant

First Claim

Patent Images

1. A method of maintaining a web session for a user across multiple electronic devices, the method comprising:

by a user agent of a first electronic device that is being used by a user;

discovering a plurality of electronic devices including a second electronic device that is in a communication range of the first electronic device;

presenting, to the user, identifiers associated with each of the discovered plurality of electronic devices, including an identifier for the second electronic device;

determining that the second electronic device includes a virtual session manager;

receiving a first authentication request, wherein the first authentication request comprises a request to access a first web resource for the user at the first web resource;

transmitting the first authentication request to an endpoint device via the virtual session manager of the second electronic device so that the virtual session manager can present a grant token to the endpoint device or receive the grant token from the endpoint device without the first electronic device having any access to the grant token;

receiving, from the virtual session manager, a first access token in response to the first authentication request, wherein the first access token has a life that is shorter than a life of the grant token such that the grant token is relatively long-lived and the first access token is relatively short-lived;

storing the first access token in a memory; and

using the first access token to access the first web resource and establish or maintain a virtual session with the first web resource, wherein one or more parameters associated with the user'"'"'s use of the first web resource are automatically sent to maintain or automatically reconnect to the virtual session so that the virtual session is uninterrupted without manually entering the parameters.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A virtual session manager of an electronic device maintains a web session for a user across multiple electronic devices. The virtual session manager will receive an authentication request from a first electronic device that is in a communication range of the virtual session manager'"'"'s device. The virtual session manager will transmit the authentication request to an endpoint device, and it will either present a grant token to or receive a grant token from the endpoint. The virtual session manager will receive a first access token from the endpoint device. The virtual session manager will transmit the first access token to the first electronic device so that the first electronic device can establish a virtual session with the first web resource without having any access to the grant token.

112 Citations

22 Claims

1. A method of maintaining a web session for a user across multiple electronic devices, the method comprising:
- by a user agent of a first electronic device that is being used by a user;
  
  discovering a plurality of electronic devices including a second electronic device that is in a communication range of the first electronic device;
  
  presenting, to the user, identifiers associated with each of the discovered plurality of electronic devices, including an identifier for the second electronic device;
  
  determining that the second electronic device includes a virtual session manager;
  
  receiving a first authentication request, wherein the first authentication request comprises a request to access a first web resource for the user at the first web resource;
  
  transmitting the first authentication request to an endpoint device via the virtual session manager of the second electronic device so that the virtual session manager can present a grant token to the endpoint device or receive the grant token from the endpoint device without the first electronic device having any access to the grant token;
  
  receiving, from the virtual session manager, a first access token in response to the first authentication request, wherein the first access token has a life that is shorter than a life of the grant token such that the grant token is relatively long-lived and the first access token is relatively short-lived;
  
  storing the first access token in a memory; and
  
  using the first access token to access the first web resource and establish or maintain a virtual session with the first web resource, wherein one or more parameters associated with the user'"'"'s use of the first web resource are automatically sent to maintain or automatically reconnect to the virtual session so that the virtual session is uninterrupted without manually entering the parameters.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 further comprising, by the user agent of the first electronic device:
    - when receiving the first access token from the virtual session manager, also receiving a history from the virtual session manager, wherein the history includes the one or more parameters, the one or more parameters being associated with the user'"'"'s use of the first web resource when the grant token was transmitted to the endpoint device.
  - 3. The method of claim 1 further comprising, by the user agent of the first electronic device:
    - determining that the plurality of discovered electronic devices each include a virtual session manager; and
      
      receiving, via a user interface, a selection of the second electronic device.
  - 4. The method of claim 1 further comprising, by the virtual session manager of the second electronic device:
    - upon receiving the first authentication request, determining that a plurality of existing virtual sessions are available for the first web resource, each of which has a corresponding grant token;
      
      outputting identifiers for the virtual sessions;
      
      receiving, via a user interface, a selection of one of a plurality of existing virtual sessions; and
      
      transmitting, to the endpoint device with the first authentication request, a request to connect to the selected existing virtual session;
      
      wherein the grant token that will be presented to the endpoint device is the grant token that corresponds to the selected existing virtual session.
  - 5. The method of claim 1 further comprising, by the virtual session manager of the second electronic device:
    - upon receiving the first authentication request, determining that a plurality of existing virtual sessions are available for the first web resource, each of which has a corresponding grant token;
      
      outputting identifiers for the existing virtual sessions;
      
      receiving, via a user interface, a request to start a new virtual session rather than connect to any of the existing virtual sessions;
      
      when transmitting, the first authentication request to an endpoint device, transmitting the first authentication request to a login endpoint;
      
      receiving the grant token from the login endpoint; and
      
      storing the grant token in a memory of the second electronic device.
  - 6. The method of claim 5 further comprising, by the virtual session manager of the second electronic device, transmitting the request to start the new virtual session to the login endpoint with the first authentication request.
  - 7. The method of claim 5 further comprising, by the virtual session manager of the second electronic device:
    - in response to receiving the request to start a new virtual session, generating a prompt for the user to present an access credential to the second electronic device;
      
      receiving the access credential via a user interface of the second electronic device;
      
      confirming that the access credential authorizes the user to access the first web resource; and
      
      in response to receiving the access credential and confirming that the access credential authorizes the user to access the first web resource, transmitting the request to start the new virtual session to the endpoint device with the first authentication request.
  - 8. The method of claim 1 further comprising, by the user agent of the first electronic device:
    - when the first access token expires or is about to expire, transmitting a re-authentication request to the endpoint device via the second electronic device so that the virtual session manager of the second electronic device can present the re-authentication request with the grant token to the endpoint device without the first electronic device having any access to the grant token;
      
      receiving an updated access token from the endpoint device via the second electronic device, wherein the updated access token replaces the first access token and has a life that is shorter than the life of the grant token; and
      
      using the updated access token to maintain the virtual session.
  - 9. The method of claim 1 further comprising, by the virtual session manager of the second electronic device, presenting the user an interface via which the user may command the virtual session manager to do one or more of the following:
    - disable the virtual session, in which case the virtual session manager will cease obtaining access tokens for the virtual session;
      
      re-enable a disabled virtual session;
      
      in which case the virtual session manager will grant an updated access token for the disabled virtual session to all electronic devices for which the virtual session manager previously disabled access;
      
      re-group a virtual session, in which case the virtual session manager will identify an alternate virtual session for which it has a grant token, send the grant token for the alternate virtual session to the endpoint device, receive an alternate access token from the endpoint device, and transmit the alternate access token to the first electronic device so that the first electronic device will replace the first access token with the alternate access token and use the alternate access token to connect to the alternate virtual session;
      
      delete the virtual session, in which case the virtual session manager will delete the grant token;
      
      orremove the first electronic device, in which case the virtual session manager will disable the first access token and prevent the first electronic device from receiving additional access tokens until the virtual session manager receives a valid authentication credential.
  - 10. The method of claim 1, further comprising, by the user agent:
    - prompting the user to perform a known user action;
      
      in response to detecting the known user action, obtaining a user presence token; and
      
      transmitting the user presence token to the first web resource with the first access token when establishing the virtual session with the first web resource.

11. A method of maintaining a web session for a user across multiple electronic devices, the method comprising:
- by a virtual session manager of a second electronic device;
  
  receiving, from a first electronic device that is in a communication range of the second electronic device, a first authentication request, wherein the first authentication request comprises a request to access a first web resource, and wherein a plurality of electronic devices including the second electronic device was discovered by the first electronic device and identifiers associated with each of the discovered plurality of electronic devices, including an identifier of the second electronic device, were presented to the user by the first electronic device;
  
  transmitting the first authentication request to an endpoint device;
  
  if the first authentication request comprises a request to connect to an existing session with the first web resource including a grant token when transmitting the first authentication request to the endpoint device, otherwise receiving the grant token from the endpoint device for a new session, and in either case not providing the first electronic device with any access to the grant token;
  
  receiving, from the endpoint device, a first access token in response to the first authentication request, wherein the first access token;
  
  has a life that is shorter than a life of the grant token such that the grant token is relatively long-lived and the first access token is relatively short-lived, andis configured to grant a user access to the first web resource; and
  
  transmitting the first access token to the first electronic device so that the first electronic device can establish or connect to a virtual session with the first web resource, wherein one or more parameters associated with the user'"'"'s use of the first web resource are sent to the first electronic device so that the first electronic device can reconnect to the first web resource as a continuation of a previous virtual session.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The method of claim 11 further comprising, by the virtual session manager of the second electronic device when the first authentication request comprises a request to connect to an existing session:
    - identifying the one or more parameters, the one or more parameters being associated with the user'"'"'s use of the first web resource at a time when the grant token was previously transmitted to the endpoint device.
  - 13. The method of claim 12 further comprising, by the virtual session manager of the second electronic device:
    - outputting identifiers for a plurality of virtual sessions for the first web resource, each of which has a corresponding grant token;
      
      receiving, via a user interface of the second electronic device, a selection of one of the virtual sessions; and
      
      transmitting, to the endpoint device with the first authentication request, a request to connect to the selected virtual session, wherein the grant token that is presented to the endpoint device is the grant token that corresponds to the selected virtual session.
  - 14. The method of claim 11 further comprising, by the virtual session manager of the second electronic device:
    - outputting identifiers for a plurality of available virtual sessions for the first web resource;
      
      receiving, via a user interface of the second electronic device, a request to start a new virtual session rather than connect to any of the available virtual sessions; and
      
      identifying the grant token as a new grant token for the new virtual session, and storing the new grant token in a memory of the second electronic device.
  - 15. The method of claim 14 further comprising, by the virtual session manager of the second electronic device when the first authentication request does not comprise a request to connect to an existing session:
    - generating a prompt for the user to present an access credential to the second electronic device;
      
      receiving the access credential via a user interface;
      
      confirming that the access credential authorizes the user to access the first web resource; and
      
      in response to receiving the access credential and confirming that the access credential authorizes the user to access the first web resource, including a request to start a new virtual session when transmitting the first access request to the endpoint device.
  - 16. The method of claim 11 further comprising, by the virtual session manager of the second electronic device:
    - when the first access token expires or is about to expire, receiving a re-authentication request;
      
      presenting the re-authentication request with the grant token to the endpoint device without the first electronic device having any access to the grant token;
      
      receiving an updated access token from the endpoint device, wherein the updated access token;
      
      is configured to replace the first access token and enable the user to maintain the virtual session, and has a life that is shorter than the life of the grant token; and
      
      transmitting the updated access token to the first electronic device.
  - 17. The method of claim 11 further comprising, by the virtual session manager of the second electronic device, presenting the user an interface via which a user may command the virtual session manager to do one or more of the following:
    - disable the virtual session, in which case the virtual session manager will cease obtaining access tokens for the virtual session;
      
      re-enable a disabled virtual session, in which case the virtual session manager will grant an updated access token for the disabled virtual session to all electronic devices for which the virtual session manager previously disabled access;
      
      re-group a virtual session, in which case the virtual session manager will identify an alternate virtual session for which it has a grant token, send the grant token for the alternate virtual session to the endpoint device, receive an alternate access token from the endpoint device, and transmit the alternate access token to the first electronic device so that the first electronic device will replace the first access token with the alternate access token and use the alternate access token to connect to the alternate virtual session;
      
      delete the virtual session, in which case the virtual session manager will delete the grant token for the virtual session;
      
      orremove the first electronic device, in which case the virtual session manager will disable the first access token and prevent the first electronic device from receiving additional access tokens until the virtual session manager receives a valid authentication credential.
  - 18. The method of claim 11 further comprising, by the virtual session manager:
    - receiving an identifier of a user action;
      
      determining whether the user action matches an expected action;
      
      in response to detecting that the user action matches the expected action, generating a user presence token, wherein the user presence token has a life that is no longer than that of the first access token; and
      
      transmitting the user presence token to the first electronic device.
  - 19. The method of claim 11 further comprising, by the virtual session manager:
    - before transmitting the first access token to the first electronic device, also determining whether one or more additional rules are satisfied; and
      
      only transmitting the first access token to the first electronic device if and after confirming that the one or more additional rules are satisfied.

20. A method of maintaining a web session for a user, comprising:
- by one or more endpoint devices;
  
  receiving a first authentication request, wherein;
  
  the first authentication request comprises a request by a user agent of a first electronic device that is being used by a user to access a first web resource, andthe first authentication request is received from a second electronic device rather than the first electronic device;
  
  determining that the second electronic device includes a virtual session manager for the user and that the virtual session manager includes a grant token and the first electronic device does not have access to the grant token, and wherein a plurality of electronic devices including the second electronic device was discovered by the first electronic device and identifiers associated with each of the discovered plurality of electronic devices, including an identifier of the second electronic device, were presented to the user by the first electronic device;
  
  confirming that the grant token is valid; and
  
  transmitting a first access token to the second electronic device, wherein the first access token is configured to grant the user agent access to the first web resource, and wherein one or more parameters associated with the user'"'"'s use of the first web resource are sent to the first electronic device so that the first electronic device can reconnect to the first web resource as a continuation of a previous virtual session.
- View Dependent Claims (21, 22)
- - 21. The method of claim 20, wherein determining that the virtual session manager includes the grant token comprises receiving the grant token with the first authentication request.
  - 22. The method of claim 21 further comprising, by the one or more endpoint devices:
    - when the first access token expires or is about to expire, receiving a re-authentication request and the grant token from the second electronic device;
      
      confirming that the grant token is still valid, andsending an updated access token to the second electronic device, wherein the updated access token is configured to replace the first access token and enable the user agent to maintain access to the first web resource.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Google LLC (Alphabet Inc.)
Inventors
Kong, Guibin, Agarwal, Naveen
Primary Examiner(s)
Tran, Tri M

Application Number

US15/395,541
Publication Number

US 20180191701A1
Time in Patent Office

1,033 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/083   using passwords cryptograph...

H04L 63/0853   using an additional device,...

H04L 63/0884   by delegation of authentica...

H04L 63/108   when the policy decisions a...

H04L 67/14   Session management for real...

Authenticated session management across multiple electronic devices using a virtual session manager

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

112 Citations

22 Claims

Specification

Use Cases

Quick Links

Others

Authenticated session management across multiple electronic devices using a virtual session manager

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

112 Citations

22 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others